aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Brooks <john.brooks@bluecherry.net>2011-11-09 20:14:19 -0700
committerRonald S. Bultje <rsbultje@gmail.com>2011-11-09 21:37:13 -0800
commit6c643e070584ba7af251d3907e277d2170537b1f (patch)
tree30c04f0c53183102b842565b4e2040d27a2f8641
parentf1f6d3615f3f9a81f41905ea0c8116b4985870e4 (diff)
downloadffmpeg-6c643e070584ba7af251d3907e277d2170537b1f.tar.gz
avc: fix memory errors when encoding invalid h264 codecdata
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
-rw-r--r--libavformat/avc.c29
1 files changed, 18 insertions, 11 deletions
diff --git a/libavformat/avc.c b/libavformat/avc.c
index 70a05ec5bc..b0c511e7b5 100644
--- a/libavformat/avc.c
+++ b/libavformat/avc.c
@@ -75,8 +75,11 @@ int ff_avc_parse_nal_units(AVIOContext *pb, const uint8_t *buf_in, int size)
size = 0;
nal_start = ff_avc_find_startcode(p, end);
- while (nal_start < end) {
- while(!*(nal_start++));
+ for (;;) {
+ while (nal_start < end && !*(nal_start++));
+ if (nal_start == end)
+ break;
+
nal_end = ff_avc_find_startcode(nal_start, end);
avio_wb32(pb, nal_end - nal_start);
avio_write(pb, nal_start, nal_end - nal_start);
@@ -117,22 +120,26 @@ int ff_isom_write_avcc(AVIOContext *pb, const uint8_t *data, int len)
end = buf + len;
/* look for sps and pps */
- while (buf < end) {
- unsigned int size;
+ while (end - buf > 4) {
+ uint32_t size;
uint8_t nal_type;
- size = AV_RB32(buf);
- nal_type = buf[4] & 0x1f;
+ size = FFMIN(AV_RB32(buf), end - buf - 4);
+ buf += 4;
+ nal_type = buf[0] & 0x1f;
+
if (nal_type == 7) { /* SPS */
- sps = buf + 4;
+ sps = buf;
sps_size = size;
} else if (nal_type == 8) { /* PPS */
- pps = buf + 4;
+ pps = buf;
pps_size = size;
}
- buf += size + 4;
+
+ buf += size;
}
- assert(sps);
- assert(pps);
+
+ if (!sps || !pps || sps_size < 4 || sps_size > UINT16_MAX || pps_size > UINT16_MAX)
+ return AVERROR_INVALIDDATA;
avio_w8(pb, 1); /* version */
avio_w8(pb, sps[1]); /* profile */